1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
name: Release signing (sigstore)
on:
release:
types:
jobs:
sign:
name: Sign release assets with cosign keyless
runs-on: ubuntu-latest
permissions:
id-token: write # required for keyless signing
contents: write # upload signed artifacts back to the release
steps:
- name: Install cosign
uses: sigstore/cosign-installer@v3
- name: Download release assets
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
mkdir -p signing
cd signing
gh release download "${{ github.event.release.tag_name }}" --repo "${{ github.repository }}"
ls -la
- name: Sign every asset
run: |
cd signing
for f in sparrow-*; do
[ -f "$f" ] || continue
cosign sign-blob --yes \
--output-signature "$f.sig" \
--output-certificate "$f.crt" \
"$f"
done
- name: Upload signatures and certs to release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cd signing
for f in *.sig *.crt; do
[ -f "$f" ] || continue
gh release upload "${{ github.event.release.tag_name }}" "$f" \
--repo "${{ github.repository }}" --clobber
done